Managed Service Provider Identifies Potential Chinese Spy Ring

(Getty Images)

Officials from the Cybersecurity & Infrastructure Security Agency (CISA) have pointed to software and managed service providers as being on the front lines of national defense against threats actors, both inside the U.S. as well as nation-state actors and international spies. But it’s not every day you see this in action.

Lincoln, Nebraska-based technology service provider ArcLight Solutions recently identified what looked like activity from a Chinese spy ring that had infiltrated an unnamed midwestern manufacturing company.

Anomalous Activity Discovered

Frank Barrett, CTO, ArcLight Solutions
Frank Barrett, CTO, ArcLight Solutions

As part of a routine analysis of a prospective client that was looking for help with their ERP system, ArcLight Solutions added monitoring from SaaS Alerts to this prospect’s Office 365 setup. After four days in the system, SaaS Alerts identified multiple hits on the system from China, even though this prospect said they had protection in place to prevent access from everywhere except the U.S., one part of the U.K., and some outsourcing to India, according to ArcLight Chief Technology Officer Frank Barrett.

“I told them, ‘I’m getting these hits from China. Are you sure you don’t do any business over there?’” Barrett said. The manufacturing company confirmed that it didn’t do business in China and said it wanted to take a closer look. Barrett and officials from the manufacturer looked at log files together. When they saw the user ID associated with the activity, the manufacturing company representatives were quiet for a moment and then told Barrett they suspected that individual of being a spy for some time, Barrett said.

“That’s not something you hear every day,” said Barrett, who is also an Army veteran and a former government IT worker.

Next Steps

Barrett said he leveraged Barracuda to chase the emails using Sharelink. Some of these emails were sent to generic email servers that were all geolocated within a two-block area in China. Barrett contacted SaaS Alerts for more guidance. Together with Barrett and the manufacturing company, SaaS Alerts watched the account to make sure that the findings weren’t some kind of anomaly. However, the activity continued. SaaS Alerts and ArcLight recommended to the manufacturing client that they turn over the investigation to federal authorities responsible for tracking international espionage and spy activities.

Barrett and SaaS Alerts said that they couldn’t share any additional information about the investigation. It’s been about 45 days since the behavior was first discovered at the manufacturing company.

What SaaS Alerts Identifies

Jim Lippie, CEO of SaaS Alerts, told ChannelE2E that the SaaS Alerts platform is set up to provide security monitoring and response for software-as-a-service (SaaS) for managed service providers. The service was introduced as the world moved from a network and on-premises approach to software – i.e. Microsoft Office loaded on your PC – to cloud-based systems such as Office 365. SaaS Alerts works with both Microsoft 365 and Google Workspace. It is set up to track user behavior, both internal and external. Lippie said SaaS Alerts tracks 254 different events specific to user behavior. For instance, one such event would be someone changing an email forwarding rule. Another example: A user that gives themselves elevated privileges in the system.

Although there’s no additional information available about the outcome of the suspected Chinese spy case, there is positive news for ArcLight Solutions, which began as a data center services company and recently began building out managed services and managed security services practices. ArcLight Solutions is in talks with the manufacturing company about establishing a long-term virtual CIO/CISO engagement.

Jessica C. Davis

Jessica C. Davis is editorial director of CyberRisk Alliance’s channel brands, MSSP Alert, MSSP Alert Live, and ChannelE2E. She has spent a career as a journalist and editor covering the intersection of business and technology including chips, software, the cloud, AI, and cybersecurity. She previously served as editor in chief of Channel Insider and later of MSP Mentor where she was one of the original editors running the MSP 501.